Hide a generated or fetched secret from logs.
Section: Permissions and secrets
Mask a dynamic sensitive value
bash
bash
echo "::add-mask::$TOKEN"Explanation
Mask runtime-generated credentials or sensitive values before any command could log them.
Learn the surrounding workflow
Compare similar commands or jump into common fixes when this command is part of a bigger troubleshooting path.
Related commands
Same sheet · prioritizing Permissions and secrets
Set least-privilege token permissions
Limit the default GITHUB_TOKEN scope.
Grant write access only where needed
Elevate token permissions on a specific job.
Expose a secret as an environment variable
Use the `secrets` context in step env.
Use protected environments for deploys
Require approval and environment-scoped secrets.
Do not expose secrets to untrusted forks
Avoid unsafe patterns for public repo pull requests.